Do you have to pay if your information is held for ransom?

A screenshot shows a WannaCry ransomware demand. (Photo courtesy of Symantec/Handout via REUTERS)
A screenshot shows a WannaCry ransomware demand. (Photo courtesy of Symantec/Handout via REUTERS)

In old television programs and movies, a classic plot element was the kidnapped corporate boss or wealthy young heiress held for ransom. Almost invariably, there’d be a ransom note spelled out with letters clipped from magazines and newspapers so the detectives wouldn’t know from whom it came from. This cliché became so well known, there are now ransom note fonts available.

Fast-forward to the 21st century and while ransoming is still a going concern, it’s information that’s held captive and the ransom note comes via email. Kidnapped information is a genuine problem of the Internet age and companies and individuals alike are all potential victims.

Putting the “P” in pirates

The media spotlight focused squarely on the issue of ransoming information with the recent announcement that hackers claiming to have stolen a digital copy of the new Pirates of the Caribbean movie were demanding money from Disney. The hackers allegedly threatened to release the movie in segments if the studio did not meet their demands.

Hackers target personal data and documents on accessible networks using programs called ‘ransomware’, usually through phishing scam emails. They then encrypt the files, making them inaccessible to the owners. In the standard scenario, the hackers demand a sum of money from the business or individual, in exchange for unencrypting the information.

Ransomware is big business and it’s a worldwide issue. The problem is so serious, that some experts expect the ransomware protection market to grow to a $17.36 billion industry by 2021.

To pay, or not to pay?

Depending on what the data is, it may be very tempting to simply pay the ransom, retrieve the data and then work on beefing up cyber-security to prevent another attack. The risk is that you might pay the money and then still not get your data back. There are no face-to-face interactions, thus you’ll likely never know who is holding your data and the payment is usually untraceable, often paid in cryptocurrency like BitCoin.

There are those who advocate paying the ransom if the data is absolutely critical and time sensitive. In other words, if your business won’t survive long without access to the data, it may be worth the risk.

On the other hand, no less an authority than the Homeland Security Department's Enterprise Performance Management Office says the U.S. government recommends against paying ransom. They feel that if enough targets refuse to give in, eventually the ransom business will become less profitable and therefore less attractive to hackers.

In the end, it’s a question of how badly you want your data back. If you have the data backed up somewhere secure, you could simply have your computer wiped clean by a professional (even some commercially available software can scan a computer for certain ransomware programs and then remove them) and start over.

Whether you do or do not pay the ransom, it is always a good idea to report the incident to the police. Holding data for ransom is a crime and any information you can provide to the authorities may help bring the perpetrators to justice.
Find a Lawyer